PFXImportCertStore- issue - cryptoapi
I imported a third party CA issued PFX certificate using PFXImportCertStore
. Upon successful importing, the PCERT_KEY_PROV_INFO_PROP_ID
is set to the following values by default by the same call, PFXImportCertStore
Why is the
dwKeySpec
recognised asAT_KEYEXCHANGE
key type rather thanAT_SIGNATURE
?Why is the
pwszProvName
set to Microsoft Base Cryptographic Provider v1.0?The certificate in the first place was issued ONLY for Digital signing. But the key usage field indicates that the certificate can be us开发者_Python百科ed for Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0). Enhanced key usage indicates, Client Authentication and Secure Email? Has the CA has issued the certificate correctly? The front of the certificate shows the following message(screen shot below) which makes me to suspect that this certificate was not issued for digital singing? Am i thinking correctly or not?
4.Because of these issue, i am unable to sign data using CryptSignMessage
. The internal call fails to acquire context to the private key for signing. Any suggestions on how i can get around this issue?
I am able to sign with a selfsigned PFX cert which i generated. Do you think that i could export the private key in to new container and set it property to AT_SIGNATURE
and the csp provider Type to PROV_RSA_AES
, as i require SHA256.
I am working with XP sp3.
Thanks
Answer 1: The key is automatically classified as AT_KEYEXCHANGE
because, its usage is also to encrypt session key etc. ie Though my application's main purpose is to digitally sign data, the CA has defined the key usage policy to include encipher, which forces CryptoAPI to map the key type to AT_KEYEXCHANGE
.
Answer 2: I ASSUME that it is a default csp in this machine, so...? Any better explanation, please
Answer 3: From many replies from guys in Crypto Google group, AT_KEYEXCHANGE
key can also be used to sign data, provided your certificate's key usage allows you to do digital signing. It seems to be common practice for third party CA's to issue certificates that can be used for multiple purposes. So the third party CA has issued the certificate correctly.
Answer 4: I managed to sign data using CryptSignMessage
with the same third party issued certificate. I changed the dwProvType
in PCERT_KEY_PROV_INFO_PROP_ID
to PROV_RSA_AES
and passed in NULL for pwsProvName
. This change is performed by using CertGetCertificateContextProperty
first to get the properties and then using CertSetCertificateContextProperty
to set the properties of your choice. This fixed the signing issue. Now i am able to sign with SHA256/RSA1024, AT_EXCHANGE
key.
精彩评论